Crochet should ensure that the realm is sealed

[robotlolita]

Currently, Crochet does not do any changes to JavaScript's semantics. But any JavaScript code loaded after Crochet might do so, because the intrinsic objects are globally mutable in the default realm. This means that even semantics Crochet relies on for correctness, and security assumptions it makes based on JavaScript's default semantics might turn out to be incorrect. This is not acceptable.

Of course, the problem is that Crochet can't just lock down the semantics on its own: for example, in the Browser it is the user who decides when to load Crochet, and at that point in time several other pieces of JS might have been loaded---they might even have been injected there by random extensions the user has installed. At that point there's nothing Crochet can do, because there's nothing it can realistically assume from the environment. On the other hand, if Crochet does manage to be the first thing loaded and then lock down the realm (to guarantee some base semantics), any code being loaded after that does not know this semantic change has taken place will not work, causing a fair amount of frustration to users. If Crochet uses a separate realm to load itself FFI suffers. There's no winning in this game. And the user that is embedding Crochet needs to be, unfortunately, aware of all of this complexity.

This is not currently considered a pressing issue because Crochet is in experimental release, however, in the presence of thirdy-party untrusted code, this makes Crochet vulnerable to silly JavaScript attacks like prototype pollution. This is, to some extent, the case with Crochet's trusted code base. Though Crochet keeps external dependencies on the runtime minimal, none of them have been verified, and should not be considered secure.